RMCP support

Vernon Mauery vernon.mauery at linux.intel.com
Sat Sep 14 04:41:08 AEST 2019


On 13-Sep-2019 10:50 AM, Alexander Amelkin wrote:
> 11.09.2019 20:31, Vernon Mauery wrote:
> > On 11-Sep-2019 05:27 AM, Neeraj Ladkani wrote:
> >> Is there any plan to add RMCP support in IPMI LAN stack ?
> > There are no plans for adding RMCP support. RMCP is horribly insecure; 
> > even more insecure than the least secure RMCP+ cipher suites (not 
> > counting cipher suite 0, which should not even be a thing.)
> >
> > Not implementing RMCP was an intentional choice. RMCP+ is insecure, 
> > especially with passwords shorter than 8 (as shown by Rick Altherr's 
> > OSFC 2019 presentation). It is recommended that RMCP+ is only used with 
> > cipher suite 17 and maximum length passwords (20 characters). Ideally, 
> > it would not be used at all, preferring Redfish, which uses modern 
> > crypto.
> >
> > Every open source IPMI utility out there supports RMCP+. That should be 
> > used instead of RMCP.
> 
> What about RMCP pings used for device discovery as described in section 13.13 of
> IPMI specification?

I don't have any problem in particular with RMCP Ping, but it is not 
implemented. It is not required by RMCP+ as far as I can tell. The spec 
calls out that is *is* required for RMCP, and can be implemented for 
RMCP+.

> AFAIK, it's not supported in OpenBMC and so `ipmiutil discover` fails to
> discover OpenBMC devices.

>From what I can tell, the spec suggests that you send a Get Channel 
Authentication Capabilities request to discover RMCP+ devices.

--Vernon


More information about the openbmc mailing list